4
OWASP Browser’s “Refresh” Browsers store  Headers, ‘POST’ variables sent to web server while fetching a page When a ‘Refresh’ button is clicked, the request to load the current page is re-submitted to server.

21
OWASP Two ways Through the application “Remember my login” option  Saves a special cookie Through the built-in feature of the browser  Browser stores username-password on hard drive at particular locations

23
OWASP The Attack - App. feature Step 1: Bob logged out of application and closed the browser too. Step 2: Alice gains access to his machine. She - views cookie file in the local machine. - She uses login credentials to log into the application OR - She overwrites her authentication token with Bob’s token in her cookie file at her system.

29
OWASP Solution For "Remember My Login" The authentication details/token should not be stored in plain text For "Remember password" Add the following code - for password field Display warning message about insecurities involved in a shared computer environment. Use workarounds For E.g. Small JavaScript snippets.